Continuation to the last post of MPF on Cisco ASA series, Juniper’s nextGen firewalls (SRX series that run JunOS software) can also be used for blocking unwanted sites. While SRX supports integration to SurfControl/WebSense etc, this post is more focused on the inbuilt capabilities just like what Cisco’s ASA had.
UTM feature (Unified Threat Management) is integrated into SRX devices. So in order to block a site(s);
1. First create a custom block lists to contain the websites that you want to block.
custom-objects {
url-pattern {
badsite {
value www.facebook.com;
}
addictivesite {
value www.twitter.com;
}
}
custom-url-category {
bad-sites {
value [ addictivesite badsite ];
}
}
}
As you can see, the custom URL category block list above contains the site ‘www.facebook.com’ and ‘www.twitter.com’ and based on the preferences time-eating sites like facebook/twitter/myspace etc can be used in here. Again, the advantage is that it doesn’t deal with ip addresses and hence very effective how many ever servers are hosted around the world.
2. Then create a web filtering policy to allow the traffic after screening the type/site to which the traffic is going to, as below;
policies {
from-zone trust to-zone untrust {
policy utm {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
utm-policy wf-block-specfic-categories;
}
}
}
}
}
}
utm {
feature-profile {
web-filtering {
url-blacklist bad-sites; #This causes sites in the bad-sites category to be blockedutm-policy wf-block-specfic-categories {
web-filtering {
http-profile block-selected-sites;
}
}
}
Along with this, SRX also supports usage of ‘Custom Block Messages’ and also make this time bound. Say if you don’t want to block it completely but just block it during business hours that is possible too by scheduling policies.
you could just as easily not block this and just log this traffic for statistical purposes correct?
Of course you should be able to do that as well!
to block facebook, I use this facebook blocker called FB Blocker, you can find it here: htt://www.fbblocker.com
the above configuration doesn’t block the https://www.facebook.com in SRX
People using facebook and youtube have found a very clever way to trick the filters by using the https:// version of the web sites.
Having test this, it really works and not only for facebook and youtube but also many other sites which are categorised as adult or not permitted!
DOes this mean that Juniper sacks regarding web filtering?
The way to block facebook on SRX is not as easy as explained here. There is a lot of configuration to be done to achieve this. Even JTAC has got no clue how to block https facebook with using only srx.